FDE without TPM on ubuntu core 20/22

j50104050 · March 20, 2024, 9:18am

Hi All,

I saw some information about FDE on ubuntu core 20/22. I follow the steps from document(https://ubuntu.com/core/docs/full-disk-encryption).

Add this to model assertion

{
…
"grade": "signed",
"storage-safety": "prefer-encrypted",
…
}

My disk still not encryption.

I saw “External I2C/SPI-based TPM modules are not currently supported.” in document. My device is SPI-based TPM.

Is this the reason for failure?
Is there any solution to encrypt disk without TPM?

ogra · March 20, 2024, 10:05am

Yes … and no …

only discrete attached TPMs are considered secure by our security team, TPM attached through I2C or SPI can be sniffed through their bus, so attackers could extract the key …

and TPM is currently the only supported way on ubuntu core …